1 /* $OpenBSD: ssl_rsa.c,v 1.20 2015/02/06 01:37:11 reyk Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 61 #include "ssl_locl.h" 62 63 #include <openssl/bio.h> 64 #include <openssl/evp.h> 65 #include <openssl/objects.h> 66 #include <openssl/pem.h> 67 #include <openssl/x509.h> 68 69 static int ssl_set_cert(CERT *c, X509 *x509); 70 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); 71 static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *); 72 73 int 74 SSL_use_certificate(SSL *ssl, X509 *x) 75 { 76 if (x == NULL) { 77 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 78 return (0); 79 } 80 if (!ssl_cert_inst(&ssl->cert)) { 81 SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 82 return (0); 83 } 84 return (ssl_set_cert(ssl->cert, x)); 85 } 86 87 int 88 SSL_use_certificate_file(SSL *ssl, const char *file, int type) 89 { 90 int j; 91 BIO *in; 92 int ret = 0; 93 X509 *x = NULL; 94 95 in = BIO_new(BIO_s_file_internal()); 96 if (in == NULL) { 97 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 98 goto end; 99 } 100 101 if (BIO_read_filename(in, file) <= 0) { 102 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 103 goto end; 104 } 105 if (type == SSL_FILETYPE_ASN1) { 106 j = ERR_R_ASN1_LIB; 107 x = d2i_X509_bio(in, NULL); 108 } else if (type == SSL_FILETYPE_PEM) { 109 j = ERR_R_PEM_LIB; 110 x = PEM_read_bio_X509(in, NULL, 111 ssl->ctx->default_passwd_callback, 112 ssl->ctx->default_passwd_callback_userdata); 113 } else { 114 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 115 goto end; 116 } 117 118 if (x == NULL) { 119 SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j); 120 goto end; 121 } 122 123 ret = SSL_use_certificate(ssl, x); 124 end: 125 X509_free(x); 126 BIO_free(in); 127 return (ret); 128 } 129 130 int 131 SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) 132 { 133 X509 *x; 134 int ret; 135 136 x = d2i_X509(NULL, &d,(long)len); 137 if (x == NULL) { 138 SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 139 return (0); 140 } 141 142 ret = SSL_use_certificate(ssl, x); 143 X509_free(x); 144 return (ret); 145 } 146 147 int 148 SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) 149 { 150 EVP_PKEY *pkey; 151 int ret; 152 153 if (rsa == NULL) { 154 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 155 return (0); 156 } 157 if (!ssl_cert_inst(&ssl->cert)) { 158 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 159 return (0); 160 } 161 if ((pkey = EVP_PKEY_new()) == NULL) { 162 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 163 return (0); 164 } 165 166 RSA_up_ref(rsa); 167 EVP_PKEY_assign_RSA(pkey, rsa); 168 169 ret = ssl_set_pkey(ssl->cert, pkey); 170 EVP_PKEY_free(pkey); 171 return (ret); 172 } 173 174 static int 175 ssl_set_pkey(CERT *c, EVP_PKEY *pkey) 176 { 177 int i; 178 179 i = ssl_cert_type(NULL, pkey); 180 if (i < 0) { 181 SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 182 return (0); 183 } 184 185 if (c->pkeys[i].x509 != NULL) { 186 EVP_PKEY *pktmp; 187 pktmp = X509_get_pubkey(c->pkeys[i].x509); 188 EVP_PKEY_copy_parameters(pktmp, pkey); 189 EVP_PKEY_free(pktmp); 190 ERR_clear_error(); 191 192 /* 193 * Don't check the public/private key, this is mostly 194 * for smart cards. 195 */ 196 if ((pkey->type == EVP_PKEY_RSA) && 197 (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) 198 ; 199 else 200 if (!X509_check_private_key(c->pkeys[i].x509, pkey)) { 201 X509_free(c->pkeys[i].x509); 202 c->pkeys[i].x509 = NULL; 203 return 0; 204 } 205 } 206 207 EVP_PKEY_free(c->pkeys[i].privatekey); 208 CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); 209 c->pkeys[i].privatekey = pkey; 210 c->key = &(c->pkeys[i]); 211 212 c->valid = 0; 213 return (1); 214 } 215 216 int 217 SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) 218 { 219 int j, ret = 0; 220 BIO *in; 221 RSA *rsa = NULL; 222 223 in = BIO_new(BIO_s_file_internal()); 224 if (in == NULL) { 225 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 226 goto end; 227 } 228 229 if (BIO_read_filename(in, file) <= 0) { 230 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 231 goto end; 232 } 233 if (type == SSL_FILETYPE_ASN1) { 234 j = ERR_R_ASN1_LIB; 235 rsa = d2i_RSAPrivateKey_bio(in, NULL); 236 } else if (type == SSL_FILETYPE_PEM) { 237 j = ERR_R_PEM_LIB; 238 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 239 ssl->ctx->default_passwd_callback, 240 ssl->ctx->default_passwd_callback_userdata); 241 } else { 242 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 243 goto end; 244 } 245 if (rsa == NULL) { 246 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j); 247 goto end; 248 } 249 ret = SSL_use_RSAPrivateKey(ssl, rsa); 250 RSA_free(rsa); 251 end: 252 BIO_free(in); 253 return (ret); 254 } 255 256 int 257 SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) 258 { 259 int ret; 260 const unsigned char *p; 261 RSA *rsa; 262 263 p = d; 264 if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { 265 SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 266 return (0); 267 } 268 269 ret = SSL_use_RSAPrivateKey(ssl, rsa); 270 RSA_free(rsa); 271 return (ret); 272 } 273 274 int 275 SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) 276 { 277 int ret; 278 279 if (pkey == NULL) { 280 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 281 return (0); 282 } 283 if (!ssl_cert_inst(&ssl->cert)) { 284 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 285 return (0); 286 } 287 ret = ssl_set_pkey(ssl->cert, pkey); 288 return (ret); 289 } 290 291 int 292 SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) 293 { 294 int j, ret = 0; 295 BIO *in; 296 EVP_PKEY *pkey = NULL; 297 298 in = BIO_new(BIO_s_file_internal()); 299 if (in == NULL) { 300 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 301 goto end; 302 } 303 304 if (BIO_read_filename(in, file) <= 0) { 305 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 306 goto end; 307 } 308 if (type == SSL_FILETYPE_PEM) { 309 j = ERR_R_PEM_LIB; 310 pkey = PEM_read_bio_PrivateKey(in, NULL, 311 ssl->ctx->default_passwd_callback, 312 ssl->ctx->default_passwd_callback_userdata); 313 } else if (type == SSL_FILETYPE_ASN1) { 314 j = ERR_R_ASN1_LIB; 315 pkey = d2i_PrivateKey_bio(in, NULL); 316 } else { 317 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 318 goto end; 319 } 320 if (pkey == NULL) { 321 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j); 322 goto end; 323 } 324 ret = SSL_use_PrivateKey(ssl, pkey); 325 EVP_PKEY_free(pkey); 326 end: 327 BIO_free(in); 328 return (ret); 329 } 330 331 int 332 SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) 333 { 334 int ret; 335 const unsigned char *p; 336 EVP_PKEY *pkey; 337 338 p = d; 339 if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { 340 SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 341 return (0); 342 } 343 344 ret = SSL_use_PrivateKey(ssl, pkey); 345 EVP_PKEY_free(pkey); 346 return (ret); 347 } 348 349 int 350 SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) 351 { 352 if (x == NULL) { 353 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER); 354 return (0); 355 } 356 if (!ssl_cert_inst(&ctx->cert)) { 357 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE); 358 return (0); 359 } 360 return (ssl_set_cert(ctx->cert, x)); 361 } 362 363 static int 364 ssl_set_cert(CERT *c, X509 *x) 365 { 366 EVP_PKEY *pkey; 367 int i; 368 369 pkey = X509_get_pubkey(x); 370 if (pkey == NULL) { 371 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB); 372 return (0); 373 } 374 375 i = ssl_cert_type(x, pkey); 376 if (i < 0) { 377 SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE); 378 EVP_PKEY_free(pkey); 379 return (0); 380 } 381 382 if (c->pkeys[i].privatekey != NULL) { 383 EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey); 384 ERR_clear_error(); 385 386 /* 387 * Don't check the public/private key, this is mostly 388 * for smart cards. 389 */ 390 if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && 391 (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & 392 RSA_METHOD_FLAG_NO_CHECK)) 393 ; 394 else 395 if (!X509_check_private_key(x, c->pkeys[i].privatekey)) { 396 /* 397 * don't fail for a cert/key mismatch, just free 398 * current private key (when switching to a different 399 * cert & key, first this function should be used, 400 * then ssl_set_pkey 401 */ 402 EVP_PKEY_free(c->pkeys[i].privatekey); 403 c->pkeys[i].privatekey = NULL; 404 /* clear error queue */ 405 ERR_clear_error(); 406 } 407 } 408 409 EVP_PKEY_free(pkey); 410 411 X509_free(c->pkeys[i].x509); 412 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); 413 c->pkeys[i].x509 = x; 414 c->key = &(c->pkeys[i]); 415 416 c->valid = 0; 417 return (1); 418 } 419 420 int 421 SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) 422 { 423 int j; 424 BIO *in; 425 int ret = 0; 426 X509 *x = NULL; 427 428 in = BIO_new(BIO_s_file_internal()); 429 if (in == NULL) { 430 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); 431 goto end; 432 } 433 434 if (BIO_read_filename(in, file) <= 0) { 435 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB); 436 goto end; 437 } 438 if (type == SSL_FILETYPE_ASN1) { 439 j = ERR_R_ASN1_LIB; 440 x = d2i_X509_bio(in, NULL); 441 } else if (type == SSL_FILETYPE_PEM) { 442 j = ERR_R_PEM_LIB; 443 x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback, 444 ctx->default_passwd_callback_userdata); 445 } else { 446 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE); 447 goto end; 448 } 449 450 if (x == NULL) { 451 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j); 452 goto end; 453 } 454 455 ret = SSL_CTX_use_certificate(ctx, x); 456 end: 457 X509_free(x); 458 BIO_free(in); 459 return (ret); 460 } 461 462 int 463 SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) 464 { 465 X509 *x; 466 int ret; 467 468 x = d2i_X509(NULL, &d,(long)len); 469 if (x == NULL) { 470 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB); 471 return (0); 472 } 473 474 ret = SSL_CTX_use_certificate(ctx, x); 475 X509_free(x); 476 return (ret); 477 } 478 479 int 480 SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) 481 { 482 int ret; 483 EVP_PKEY *pkey; 484 485 if (rsa == NULL) { 486 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER); 487 return (0); 488 } 489 if (!ssl_cert_inst(&ctx->cert)) { 490 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE); 491 return (0); 492 } 493 if ((pkey = EVP_PKEY_new()) == NULL) { 494 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB); 495 return (0); 496 } 497 498 RSA_up_ref(rsa); 499 EVP_PKEY_assign_RSA(pkey, rsa); 500 501 ret = ssl_set_pkey(ctx->cert, pkey); 502 EVP_PKEY_free(pkey); 503 return (ret); 504 } 505 506 int 507 SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) 508 { 509 int j, ret = 0; 510 BIO *in; 511 RSA *rsa = NULL; 512 513 in = BIO_new(BIO_s_file_internal()); 514 if (in == NULL) { 515 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB); 516 goto end; 517 } 518 519 if (BIO_read_filename(in, file) <= 0) { 520 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB); 521 goto end; 522 } 523 if (type == SSL_FILETYPE_ASN1) { 524 j = ERR_R_ASN1_LIB; 525 rsa = d2i_RSAPrivateKey_bio(in, NULL); 526 } else if (type == SSL_FILETYPE_PEM) { 527 j = ERR_R_PEM_LIB; 528 rsa = PEM_read_bio_RSAPrivateKey(in, NULL, 529 ctx->default_passwd_callback, 530 ctx->default_passwd_callback_userdata); 531 } else { 532 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE); 533 goto end; 534 } 535 if (rsa == NULL) { 536 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j); 537 goto end; 538 } 539 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 540 RSA_free(rsa); 541 end: 542 BIO_free(in); 543 return (ret); 544 } 545 546 int 547 SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) 548 { 549 int ret; 550 const unsigned char *p; 551 RSA *rsa; 552 553 p = d; 554 if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { 555 SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 556 return (0); 557 } 558 559 ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa); 560 RSA_free(rsa); 561 return (ret); 562 } 563 564 int 565 SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) 566 { 567 if (pkey == NULL) { 568 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, 569 ERR_R_PASSED_NULL_PARAMETER); 570 return (0); 571 } 572 if (!ssl_cert_inst(&ctx->cert)) { 573 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE); 574 return (0); 575 } 576 return (ssl_set_pkey(ctx->cert, pkey)); 577 } 578 579 int 580 SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) 581 { 582 int j, ret = 0; 583 BIO *in; 584 EVP_PKEY *pkey = NULL; 585 586 in = BIO_new(BIO_s_file_internal()); 587 if (in == NULL) { 588 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB); 589 goto end; 590 } 591 592 if (BIO_read_filename(in, file) <= 0) { 593 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB); 594 goto end; 595 } 596 if (type == SSL_FILETYPE_PEM) { 597 j = ERR_R_PEM_LIB; 598 pkey = PEM_read_bio_PrivateKey(in, NULL, 599 ctx->default_passwd_callback, 600 ctx->default_passwd_callback_userdata); 601 } else if (type == SSL_FILETYPE_ASN1) { 602 j = ERR_R_ASN1_LIB; 603 pkey = d2i_PrivateKey_bio(in, NULL); 604 } else { 605 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, 606 SSL_R_BAD_SSL_FILETYPE); 607 goto end; 608 } 609 if (pkey == NULL) { 610 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j); 611 goto end; 612 } 613 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 614 EVP_PKEY_free(pkey); 615 end: 616 BIO_free(in); 617 return (ret); 618 } 619 620 int 621 SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, 622 long len) 623 { 624 int ret; 625 const unsigned char *p; 626 EVP_PKEY *pkey; 627 628 p = d; 629 if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { 630 SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB); 631 return (0); 632 } 633 634 ret = SSL_CTX_use_PrivateKey(ctx, pkey); 635 EVP_PKEY_free(pkey); 636 return (ret); 637 } 638 639 640 /* 641 * Read a bio that contains our certificate in "PEM" format, 642 * possibly followed by a sequence of CA certificates that should be 643 * sent to the peer in the Certificate message. 644 */ 645 static int 646 ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) 647 { 648 int ret = 0; 649 X509 *x = NULL; 650 651 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ 652 653 x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, 654 ctx->default_passwd_callback_userdata); 655 if (x == NULL) { 656 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); 657 goto end; 658 } 659 660 ret = SSL_CTX_use_certificate(ctx, x); 661 662 if (ERR_peek_error() != 0) 663 ret = 0; 664 /* Key/certificate mismatch doesn't imply ret==0 ... */ 665 if (ret) { 666 /* 667 * If we could set up our certificate, now proceed to 668 * the CA certificates. 669 */ 670 X509 *ca; 671 int r; 672 unsigned long err; 673 674 if (ctx->extra_certs != NULL) { 675 sk_X509_pop_free(ctx->extra_certs, X509_free); 676 ctx->extra_certs = NULL; 677 } 678 679 while ((ca = PEM_read_bio_X509(in, NULL, 680 ctx->default_passwd_callback, 681 ctx->default_passwd_callback_userdata)) != NULL) { 682 r = SSL_CTX_add_extra_chain_cert(ctx, ca); 683 if (!r) { 684 X509_free(ca); 685 ret = 0; 686 goto end; 687 } 688 /* 689 * Note that we must not free r if it was successfully 690 * added to the chain (while we must free the main 691 * certificate, since its reference count is increased 692 * by SSL_CTX_use_certificate). 693 */ 694 } 695 696 /* When the while loop ends, it's usually just EOF. */ 697 err = ERR_peek_last_error(); 698 if (ERR_GET_LIB(err) == ERR_LIB_PEM && 699 ERR_GET_REASON(err) == PEM_R_NO_START_LINE) 700 ERR_clear_error(); 701 else 702 ret = 0; /* some real error */ 703 } 704 705 end: 706 X509_free(x); 707 return (ret); 708 } 709 710 int 711 SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) 712 { 713 BIO *in; 714 int ret = 0; 715 716 in = BIO_new(BIO_s_file_internal()); 717 if (in == NULL) { 718 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 719 goto end; 720 } 721 722 if (BIO_read_filename(in, file) <= 0) { 723 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB); 724 goto end; 725 } 726 727 ret = ssl_ctx_use_certificate_chain_bio(ctx, in); 728 729 end: 730 BIO_free(in); 731 return (ret); 732 } 733 734 int 735 SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) 736 { 737 BIO *in; 738 int ret = 0; 739 740 in = BIO_new_mem_buf(buf, len); 741 if (in == NULL) { 742 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); 743 goto end; 744 } 745 746 ret = ssl_ctx_use_certificate_chain_bio(ctx, in); 747 748 end: 749 BIO_free(in); 750 return (ret); 751 } 752